The Protection of Classified Information: The Legal Framework - Updated August 12, 2022
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
The Protection of Classified Information:
The Legal Framework
Updated August 12, 2022
Congressional Research Service
https://crsreports.congress.gov
RS21900The Protection of Classified Information: The Legal Framework Summary This report provides an overview of the relationship between executive and legislative authority over national security information. It summarizes the current laws that form the legal framework protecting classified information, including current executive orders and some agency regulations pertaining to the handling of unauthorized disclosures of classified information by government officers and employees. The report also summarizes criminal laws that pertain specifically to the unauthorized disclosure of classified information, as well as civil and administrative penalties. Finally, the report discusses insider risk management measures. Congressional Research Service
The Protection of Classified Information: The Legal Framework
Contents
Background ..................................................................................................................................... 1
Executive Order 13526 .................................................................................................................... 6
Handling of Unauthorized Disclosures ........................................................................................... 8
Information Security Oversight Office...................................................................................... 9
Intelligence Community ........................................................................................................... 11
Department of Defense ............................................................................................................ 11
Department of State................................................................................................................. 14
Penalties for Unauthorized Disclosure .......................................................................................... 14
Criminal Penalties ................................................................................................................... 15
Civil Penalties and Other Measures ........................................................................................ 15
Declassification vs. Leaks and “Instant Declassification” ............................................................ 16
Insider Threat Risk Management .................................................................................................. 20
Contacts
Author Information........................................................................................................................ 22
Congressional Research ServiceThe Protection of Classified Information: The Legal Framework
Background
Prior to the New Deal, decisions regarding classification of national security information were
left to military regulation.1 In 1940, President Franklin Roosevelt issued an executive order
authorizing government officials to protect information pertaining to military and naval
installations.2 Presidents since that time have continued to set the federal government’s
classification standards by executive order, but with one critical difference: while President
Roosevelt cited specific statutory authority for his action,3 later Presidents have cited general
statutory and constitutional authority.4
The Supreme Court has never directly addressed the extent to which Congress may constrain the
executive branch’s power in this area. Citing the President’s constitutional role as Commander-
in-Chief,5 the Supreme Court has repeatedly stated in dicta that “[the President’s] authority to
classify and control access to information bearing on national security ... flows primarily from
this Constitutional investment of power in the President and exists quite apart from any explicit
congressional grant.”6 This language has been interpreted by some to indicate that the President
has plenary authority to control classified information.7 On the other hand, the Supreme Court has
1 See Harold Relyea, The Presidency and the People’s Right to Know, in THE PRESIDENCY AND INFORMATION POLICY 1,
16-18 (1981).
2 Exec. Order No. 8381, 5 Fed. Reg. 1147 (Mar. 26, 1940).
3 See id. (citing the act of January 12, 1938, 52 Stat. 3, § 1).
4 See, e.g., Exec. Order No. 10501 (1953); Exec. Order No. 13292 (2003). President Obama’s executive order on
classified information, Exec. Order No. 13526, 75 Fed. Reg. 707, 1013 (Dec. 29, 2009), also cites constitutional
authority. The Trump Administration did not issue a new executive order pertaining to classified information, nor has
the Biden Administration.
5
U.S. CONST., art. II, § 2; CONG. RES. SERV., Constitution Annotated: Analysis and Interpretation of the U.S.
Constitution, ArtII.S2.C1.1.1 Historical Background, https://constitution.congress.gov/browse/essay/artII-S2-C1-1-1/
ALDE_00001127/.
6 Department of the Navy v. Egan, 484 U.S. 518, 527 (1988) (quoting Cafeteria Workers v. McElroy, 367 U.S. 886,
890 (1961)). In addition, courts have also been wary to second-guess the executive branch in areas of national security.
See, e.g., Haig v. Agee, 453 U.S. 280, 291 (1981) (“Matters intimately related to foreign policy and national security
are rarely proper subjects for judicial intervention.”). The Court has suggested, however, that it might intervene where
Congress has provided contravening legislation. Egan, 484 U.S. at 530 (“Thus, unless Congress specifically has
provided otherwise, courts traditionally have been reluctant to intrude upon the authority of the Executive in military
and national security affairs.”) (emphasis added).
7 President George W. Bush objected to some provisions of the Intelligence Reform and Terrorism Prevention Act, P.L.
108-458 (2004), that he viewed as impeding on presidential prerogatives:
Several provisions of the Act, including Title III and section 7601, purport to regulate access to
classified national security information. The Supreme Court of the United States has stated that the
President’s authority to classify and control access to information bearing on national security
flows from the Constitution and does not depend upon a legislative grant of authority. The
executive branch shall construe such provisions in a manner consistent with the Constitution’s
commitment to the President of the executive power, the power to conduct the Nation’s foreign
affairs, and the authority as Commander in Chief.
Statement on Signing the Intelligence Reform and Terrorism Prevention Act of 2004, 2004 PUB. PAPERS 3118, 3119
(Dec. 17, 2004). President Bush used similar language to object to other provisions regarding congressional
notification. See, e.g., 2002 PUB. PAPERS 46, 47-48 (Jan. 10, 2002); id. at 1870 (Oct. 23, 2002); 2003 PUB. PAPERS 1217
(Sept. 30, 2003); id. at 1603 (Nov. 22, 2003); 2004 PUB. PAPERS 1494 (Aug. 5, 2004); 2005 PUB. PAPERS 1794 (Nov.
30, 2005; id. at 1901 (Dec. 5, 2005); 2006 PUB. PAPERS 1152, 1153 (June 15, 2006); id. at 1733 (Sept. 29, 2006).
President Trump used nearly identical language to object to a provision in the Consolidated Appropriations Act of
2017, P.L. 115-31 (2017), that requires 30 days’ advance congressional notification prior to establishing a new special
access program (§ 8009). In his signing statement, President Trump wrote:
Congressional Research Service 1The Protection of Classified Information: The Legal Framework
suggested that “Congress could certainly [provide] that the Executive Branch adopt new
[classification procedures] or [establish] its own procedures—subject only to whatever limitations
the Executive Privilege may be held to impose on such congressional ordering.”8 In fact,
Congress established a separate regime in the Atomic Energy Act for the protection of nuclear-
related “Restricted Data.”9
Congress has also directed the President to establish procedures governing the access to classified
material so that generally no person can gain such access without having undergone a background
check.10 In addition, Congress directed the President, in formulating the classification procedures,
to adhere to certain minimum standards of due process with regard to access to classified
information.11 These standards include establishing uniform procedures for, inter alia,
background checks, denial of access to classified information, and notice of such denial.12 There
is an exception to the due process requirements, however, where compliance could damage
national security, although the statute directs agency heads to submit a report to the congressional
intelligence committees in such a case.13
With the authority to determine classification standards vested in the President, these standards
often change when a new administration takes control of the White House.14 The differences
between the standards of one administration and the next have at times been dramatic. As one
congressionally authorized commission put it in 1997:
The rules governing how best to protect the nation’s secrets, while still insuring that the
American public has access to information on the operations of its government, past and
The President’s authority to classify and control access to information bearing on the national
security flows from the Constitution and does not depend upon a legislative grant of authority.
Although I expect to be able to provide the advance notice contemplated by section 8009 in most
situations as a matter of comity, situations may arise in which I must act promptly while protecting
certain extraordinarily sensitive national security information. In these situations, I will treat these
sections in a manner consistent with my constitutional authorities, including as Commander in
Chief.
Statement by President Donald J. Trump on Signing H.R. 244 into Law (May 5, 2017),
https://trumpwhitehouse.archives.gov/briefings-statements/statement-president-donald-j-trump-signing-h-r-244-law/;
see also Steven Aftergood, Trump Objects to Legislated Limits on Secrecy, FED’N AM. SCIENTISTS: SECRECY NEWS
(May 8, 2017), https://fas.org/blogs/secrecy/2017/05/trump-saps/ (noting similarity between Supreme Court Egan
quote and President’s claim).
8 EPA v. Mink, 410 U.S. 73, 83 (1973).
9 42 U.S.C. §§ 2162-69 (2017). In addition, the Invention Secrecy Act, 35 U.S.C. §§ 181-88 (2017), authorizes the
Commissioner of Patents to keep secret those patents on inventions in which the government has an ownership interest
and the widespread knowledge of which would, in the opinion of the interested agency, harm national security. For a
more detailed discussion of these and other regulatory regimes for the protection of sensitive government information,
see CRS Report R41404, Criminal Prohibitions on Leaks and Other Disclosures of Classified Defense Information, by
Stephen P. Mulligan and Jennifer K. Elsea.
10
Counterintelligence and Security Enhancement Act of 1994, Title VIII of Pub. L. No. 103-359, 108 Stat. 3423, 3434
(codified at 50 U.S.C. §§ 3161-64). Congress has also required specific regulations regarding personnel security
procedures for employees of the National Security Agency, Pub. L. No. 88-290, 78 Stat. 168 (1964) (codified at 50
U.S.C. §§ 831-35).
11 50 U.S.C. § 3161(a).
12 Id.
13 Id. § 3161(b). The House Conference Report that accompanied this legislation in 1994 suggests that Congress
understood that the line defining the boundaries of executive and legislative authority in this area is blurry at best. The
conferees made explicit reference to the Egan case, expressing their desire that the legislation not be understood to
affect the President’s authority with regard to security clearances. See H.R. REP. NO. 103-753, at 54.
14 See Report of the Commission on Protecting and Reducing Government Secrecy, S. DOC. NO. 105-2, at 11 (1997).
Congressional Research Service 2The Protection of Classified Information: The Legal Framework
present, have shifted along with the political changes in Washington. Over the last fifty
years, with the exception of the Kennedy Administration, a new executive order on
classification was issued each time one of the political parties regained control of the
Executive Branch. These have often been at variance with one another ... at times even
reversing outright the policies of the previous order.15
Various congressional committees have investigated ways to bring some continuity to the
classification system and to limit the President’s broad powers to shield information from public
examination.16 In 1966, Congress passed the Freedom of Information Act (FOIA),17 creating a
presumption that government information will be open to the public unless it falls into one of
FOIA’s exceptions. One exception covers information that, under executive order, must be kept
secret for national security or foreign policy reasons.18 In 2000, Congress enacted the Public
Interest Declassification Act of 2000,19 which established the Public Interest Declassification
Board to advise the President on matters regarding the declassification of certain information.
However, the act expressly disclaims any intent to restrict agency heads from classifying or
continuing the classification of information under their purview, nor does it create any rights or
remedies that may be enforced in court.20 Congress also passed the Reducing Over-Classification
Act, P.L. 111-258 (2010), which, among other things, requires executive branch agencies’
inspectors general to conduct assessments of their agencies’ implementation of classification
policies.21
Congress occasionally takes an interest in declassification of specific materials that might be
deemed essential for some public purpose. The procedural rules of both the Senate and House
provide a means for disclosing classified information in the intelligence committees’ possession
where the intelligence committee of the respective house (either the House Permanent Select
Committee on Intelligence (HPSCI) or the Senate Select Committee on Intelligence (SSCI))
determines by vote that such disclosure would serve the public interest.22 In the event the
intelligence committee votes to disclose classified information that was submitted by the
executive branch, and the executive branch requests it be kept secret, the committee is required to
notify the President prior to disclosure. The information may be disclosed after five days
following notification unless the President formally objects and certifies that the threat to the U.S.
national interest outweighs any public interest in disclosing it, in which case the question may be
referred to the full chamber.23
15 Id.
16 See, e.g., Availability of Information from Federal Departments and Agencies: Hearings Before the House
Committee on Government Operations, 85th Cong. (1955).
17 Pub. L. No. 89-554, 80 Stat. 383 (1966) (codified as amended at 5 U.S.C. § 552).
18 5 U.S.C. § 552(b)(1). The Supreme Court has honored Congress’s deference to executive branch determinations in
this area. EPA v. Mink, 410 U.S. 73 (1973). Congress, concerned that the executive branch may have declared some
documents to be “national security information” that were not vital to national security, added a requirement that such
information be “properly classified pursuant to an executive order.” 5 U.S.C. § 552(b)(1)(B).
19 Pub. L. No. 106-567, title VII, 114 Stat. 2831, 2856 (2000) (codified as amended at 50 U.S.C. § 3355-55g).
20 Id. §§ 705 and 707 (codified at 50 U.S.C. §§ 3355c, 3355e).
21 Pub. L. No. 111-258 § 6, 124 Stat. 2648, 2651 (2010) (codified at 50 U.S.C. § 3161 note).
22 Rules of the House of Representatives, 117th Congress, Rule X, 11(g)(1); S. Res. 400, 94th Congress, Sec. 8(a).
23 Rules of the House of Representatives, 117th Congress, Rule X, 11(g)(2); S. Res. 400, 94th Congress, Sec. 8(b). The
House and Senate Rules regarding the vote to disclose classified information are substantially similar, although the
Senate Manual additionally requires notification to the Majority and Minority Leaders.
Congressional Research Service 3The Protection of Classified Information: The Legal Framework It does not appear that, to date, either house has invoked its procedure for disclosing classified information. In fact, in at least one instance, Congress deferred to the executive branch even with respect to materials prepared by Congress,24 albeit perhaps using documents obtained from the executive branch. One example of congressional declassification procedure involved the 28 pages of classified text from the report of the Joint Inquiry of the HPSCI and the SSCI into the Intelligence Community Activities Before and After the Terrorist Attacks of September 11, 2001.25 The report of the Joint Inquiry was completed in 2002 and referred to the executive branch for a classification review, which determined that three of the four parts of the report could be disclosed to the public, but that the disclosure of a portion of the report would pose national security risks.26 Despite calls for the release of the 28 pages by some Members and former Members,27 and legislative proposals to mandate disclosure,28 the intelligence committees awaited a declassification review by the intelligence community before releasing the material in redacted form.29 Another notable instance in which Congress sought and procured the declassification of government information involved records pertaining to prisoners of war and personnel listed as missing in action after the Vietnam War (“POW/MIA”).30 Congress initially required certain agencies to provide information regarding “live-sightings” of such personnel to next of kin, with the exception of “information that would reveal or compromise sources and methods of intelligence collection.”31 Congress subsequently directed the Department of Defense (DOD) to create an accessible library of documents related to POW/MIA, excluding records that would be exempt under certain provisions of FOIA.32 The Senate Select Committee on POW/MIA Affairs considered invoking the procedural rule described above to declassify relevant documents, but deemed that untested avenue unsuitable because it would have required the Committee to identify the documents beforehand and to have had them in its possession. Furthermore, enforcement of the measure would have required the full vote of the Senate.33 Instead, Members wrote to President George H. W. Bush requesting an executive order to accomplish the declassification of 24 See, e.g., S. REP. NO. 114-8 at 12 (describing negotiations between the Chairman of the SSCI and the Obama Administration regarding redactions necessary to release an unclassified version of the Committee’s executive summary to its report on the Central Intelligence Agency’s detention and interrogation of detainees). 25 H. REP. NO. 107-792. 26 See Director of National Intelligence, Statement by the ODNI on the Declassification of Part Four of the SSCI and HPSCI’s 2002 Report on the Committees’ Joint Inquiry into Intelligence Community Activities Before and After the Terrorist Attacks of September 11, 2001 (July 15, 2016), https://www.dni.gov/index.php/newsroom/congressional- testimonies/congressional-testimonies-2016/item/1612-statement-by-the-odni-on-the-declassification-of-part-four-of- the-ssci-and-hpsci-s-2002-report-on-the-committees-joint-inquiry-into-intelligence-community-activities-before-and- after-the-terrorist-attacks-of-september-11-2001. 27 See Carl Hulse, Claims Against Saudis Cast New Light on Secret Pages of 9/11 Report, N.Y. TIMES, Feb. 4, 2015, https://www.nytimes.com/2015/02/05/us/claims-against-saudis-cast-new-light-on-secret-pages-of-9-11-report.html. 28 E.g., S. 1471 (114th Cong.); H. Res. 779 (114th Cong.); H. Res. (114th Cong.). 29 See CRS Report RL33533, Saudi Arabia: Background and U.S. Relations, by Christopher M. Blanchard, appendix C. 30 See Report of the Select Committee on POW/MIA Affairs, S. REP. NO. 103-1, at 233-44, available at http://lcweb2.loc.gov/frd/pow/senate_house/pdf/report_S.pdf. 31 Pub. L. No. 100-453 § 404, 102 Stat. 1904, 1908 (1988) (codified at 50 U.S.C. § 3161 note). 32 Pub. L. No. 102-190, div. A, § 1082, 105 Stat. 1290, 1480 (1991) (codified at 50 U.S.C. § 3161 note). The POW/MIA database was created at the Library of Congress and may be accessed at http://lcweb2.loc.gov/frd/pow/ powhome.html. 33 S. REP. NO. 103-1 at 237. Congressional Research Service 4
The Protection of Classified Information: The Legal Framework relevant records,34 which was followed by a resolution expressing the sense of the Senate that the President should expeditiously issue an executive order for the declassification, without compromising national security, of relevant documents.35 President Bush complied.36 Congress has directed the President or agency heads through legislation to undertake a declassification review of records pertaining to specific matters and to release them as appropriate. For example, Congress in 2000 directed the President to “order all Federal agencies and departments that possess relevant information [about the murders of churchwomen in El Salvador] to make every effort to declassify and release” them to victims’ families.37 In 2002, Congress directed the Secretary of Defense to submit to Congress and to the Secretary of Veterans Affairs “a comprehensive plan for the review, declassification, and submittal” of all information related to Project 112—a series of biological and chemical warfare vulnerability tests conducted by the Department of Defense38—that would be relevant for that project’s participants’ health care.39 In 2004, Congress directed the Secretary of Defense to “review and, as determined appropriate, revise the classification policies of the Department of Defense with a view to facilitating the declassification of data that is potentially useful for the monitoring and assessment of the health of members of the Armed Forces who have been exposed to environmental hazards during deployments overseas.”40 In 2007, Congress directed the Director of the Central Intelligence Agency (CIA) to make public a version of the executive summary of the CIA Office of the Inspector General report on “CIA Accountability Regarding Findings and Conclusions of the Joint Inquiry into Intelligence Community Activities Before and After the Terrorist Attacks of September 11, 2001,” declassified “to the maximum extent possible, consistent with national security.”41 In 2014, Congress directed the Director of National Intelligence (DNI) to conduct a declassification review of documents collected during the raid that killed Osama bin Laden, requiring a justification for materials that remain classified after the review.42 In 2022, Congress directed the Director of National Intelligence to conduct a declassification review to “determine what, if any, additional information relating to the terrorist attacks of September 11, 2001” can be released to the public.43 34 Id. at 237-38. 35 S. Res. 324 (102d Cong.). 36 Exec. Order No. 12812, 57 Fed. Reg. 32879 (July 22, 1992). 37 Pub. L. No. 106-429, § 587, 114 Stat. 1900, 1900A–58 (2000). 38 See U.S. Department of Veterans Affairs, Public Health, About Project 112 and Project SHAD, available at https://www.publichealth.va.gov/exposures/shad/basics.asp. 39 Pub. L. No. 107-314, div. A, § 709, 116 Stat. 2458, 2586 (2002) (previously codified at 10 U.S.C. § 1074 note). For information about Project 112 and related veterans’ health benefits, visit the Department of Veterans Affairs website at http://www.benefits.va.gov/COMPENSATION/claims-postservice-exposures-project_112_shad.asp. 40 Pub. L. No. 108-375, div. A, § 735, 118 Stat. 1900, 1999 (2004) (codified as amended at 10 U.S.C. § 1074 note). 41 Pub. L. No. 110-53, § 605, 121 Stat. 226, 337 (2007). 42 Pub. L. No. 113-126, § 313, 128 Stat. 1390, 1399 (2014). 43 Pub. L. No. 117-103, div. X, § 310, 136 Stat. 49, 972 (2022) (codified at 50 U.S.C. § 3161 note). In 2021, President Biden directed the Attorney General and other agency heads to review for declassification certain information pertinent to litigation related to possible Saudi government involvement in September 11, Declassification Reviews of Certain Documents Concerning the Terrorist Attacks of September 11, 2001, Exec. Order No. 1404086, Fed. Reg. 50439 (Sept. 9, 2021). Congressional Research Service 5
The Protection of Classified Information: The Legal Framework
Executive Order 13526
The current standards for classifying and declassifying information were last amended on
December 29, 2009, in Executive Order 13526.44 Under these standards, the President, Vice
President, agency heads, and any other officials designated by the President may classify
information upon a determination that the unauthorized disclosure of such information could
reasonably be expected to damage national security.45 Such information must be owned by,
produced by, or under the control of the federal government, and must concern one of the
following:
military plans, weapons systems, or operations;
foreign government information;
intelligence activities, intelligence sources/methods, cryptology;
foreign relations or foreign activities of the United States, including confidential
sources;
scientific, technological, or economic matters relating to national security;
federal programs for safeguarding nuclear materials or facilities;
vulnerabilities or capabilities of national security systems; or
weapons of mass destruction.46
Information may be classified at one of three levels based on the amount of danger that its
unauthorized disclosure could reasonably be expected to cause to national security.47 Information
is classified as “Top Secret” if its unauthorized disclosure could reasonably be expected to cause
“exceptionally grave damage” to national security.48 The standard for “Secret” information is
“serious damage” to national security, while for “confidential” information the standard is
“damage” to national security.49 Significantly, for each level, the original classifying officer must
identify or describe the specific danger potentially presented by the information’s disclosure.50 In
case of significant doubt as to the need to classify information or the level of classification
appropriate, the information is to remain unclassified or be classified at the lowest level of
protection considered appropriate.51
The officer who originally classifies the information establishes a date for declassification based
upon the expected duration of the information’s sensitivity. If the office cannot set an earlier
declassification date, then the information must be marked for declassification in 10 years’ time
44 Classified National Security Information, Exec. Order No. 13526, 3 C.F.R. 298 (2009). For a more detailed
description and analysis, see CRS Report R41528, Classified Information Policy and Executive Order 13526.
45 Exec. Order No. 13526 § 1.1. The unauthorized disclosure of foreign government information is presumed to damage
national security. Id. § 1.1(b).
46 Id. § 1.4. In addition, when classified information is incorporated, paraphrased, restated, or generated in a new form,
that new form must be classified at the same level as the original. Id. §§ 2.1 - 2.2.
47 Id. § 1.2.
48 Id. § 1.2(a)(1).
49 Id. § 1.2(a)(2).
50 Id. Classifying authorities are specifically prohibited from classifying information for reasons other than protecting
national security, such as to conceal violations of law or avoid embarrassment. Id. § 1.7(a).
51 Id. §§ 1.1-1.2. This presumption is a change from the predecessor order.
Congressional Research Service 6The Protection of Classified Information: The Legal Framework or 25 years, depending on the sensitivity of the information.52 The deadline for declassification can be extended if the threat to national security still exists.53 Classified information is required to be declassified “as soon as it no longer meets the standards for classification.”54 The original classifying agency has the authority to declassify information when the public interest in disclosure outweighs the need to protect that information.55 On December 31, 2006, and every year thereafter, all information that has been classified for 25 years or longer and has been determined to have “permanent historical value” under Title 44 of the U.S. Code will be automatically declassified, although agency heads can exempt from this requirement classified information that continues to be sensitive in a variety of specific areas.56 Agencies are required to review classification determinations upon a request for such a review that specifically identifies the materials so that the agency can locate them, unless the materials identified are part of an operational file exempt under the Freedom of Information Act (FOIA)57 or are the subject of pending litigation.58 This requirement does not apply to information that has undergone declassification review in the previous two years; information that is exempted from review under the National Security Act;59 or information classified by the incumbent President and staff, the Vice President and staff (in the performance of executive duties), commissions appointed by the President, or other entities within the executive office of the President that advise the President.60 Each agency that has classified information is required to establish a system for periodic declassification reviews.61 The National Archivist is required to establish a similar systemic review of classified information that has been transferred to the National Archives.62 Access to classified information is generally limited to those who demonstrate their eligibility to the relevant agency head, sign a nondisclosure agreement, and have a need to know the information.63 Agency heads or senior agency officials of originating agencies may make waivers of the need-to-know requirement available for former Presidents and Vice Presidents, historical researchers, and former policy-making officials who were appointed by the President or Vice President.64 The information being accessed may not be removed from the controlling agency’s 52 Exec. Order No. 13526 at § 1.5. Exceptions to the time guidelines are reserved for information that can be expected to reveal the identity of a human intelligence source or key design concepts of weapons of mass destruction. Id. 53 Id. § 1.5(c). 54 Id. § 3.1(a). 55 Id. § 3.1(d). 56 Id. § 3.3. 57 5 U.S.C. § 552. For more information, see CRS Report R46238, The Freedom of Information Act (FOIA): A Legal Overview, by Daniel J. Sheffner. 58 Exec. Order No. 13526 § 3.5. 59 50 U.S.C. §§ 3141-43. 60 Exec. Order No. 13526 § 3.5. 61 Id. § 3.4. “Need-to-know” is based on a determination within the executive branch in accordance with relevant directives that a prospective recipient “requires access to specific classified information in order to perform or assist in a lawful and authorized governmental function.” Id. § 6.1(dd). 62 Id. § 3.4. Exec. Order No. 13526 creates a new National Declassification Center (NDC) within the National Archives to facilitate and standardize the declassification process. Id. § 3.7. For more information about the NDC, see CRS Report R41528, Classified Information Policy and Executive Order 13526. 63 Exec. Order No. 13526 § 4.1. 64 Id. § 4.4. Congressional Research Service 7
The Protection of Classified Information: The Legal Framework premises without permission.65 Each agency is required to establish systems for controlling the distribution of classified information.66 The Information Security Oversight Office (ISOO)—an office within the National Archives—is charged with overseeing compliance with the classification standards and promulgating directives to that end.67 ISOO is headed by a Director, who is appointed by the Archivist of the United States, and who has the authority to order declassification of information that, in the Director’s view, is classified in violation of the aforementioned classification standards.68 In addition, there is an Interagency Security Classifications Appeals Panel (ISCAP), headed by the ISOO Director and made up of representatives of the heads of various agencies, including the Departments of Defense, Justice, and State, as well as the CIA, and the National Archives.69 ISCAP is empowered to decide appeals of classifications challenges70 and to review automatic and mandatory declassifications. If the ISOO Director finds a violation of E.O. 13526 or its implementing directives, then the Director must notify the appropriate classifying agency so that corrective steps can be taken. Handling of Unauthorized Disclosures Under E.O. 13526, each respective agency is responsible for maintaining control over classified information it originates and is responsible for establishing uniform procedures to protect classified information and automated information systems in which classified information is stored or transmitted. Standards for safeguarding classified information, including the handling, storage, distribution, transmittal, and destruction of and accounting for classified information, are developed by the ISOO.71 Persons authorized to disseminate classified information outside the executive branch are required to ensure it receives protection equivalent to those required internally72. In the event of a knowing, willful, or negligent unauthorized disclosure (or any such action that could reasonably be expected to result in an unauthorized disclosure), the agency head or senior agency official is required to notify ISOO and to “take appropriate and prompt corrective action.”73 Officers and employees of the United States (including contractors, licensees, etc.) who commit a violation may be subject, at a minimum, to administrative sanctions that can range from reprimand to termination.74 65 Id. § 4.1(d). 66 Id. § 4.2. 67 Id. § 5.2. 68 Id. § 3.1(c). 69 Id. § 5.3. 70 Id. § 5.3(b)(1) - (3) For example, an authorized holder of classified information is allowed to challenge the classified status of such information if the holder believes that status is improper. Id. § 1.8. 71 Id. § 5.1. 72 Id. § 4.1(e). 73 Id. § 5.5(e). 74 Id. § 5.5. Specifically, administrative sanctions available with respect to “officers and employees of the United States Government, and its contractors, licensees, certificate holders, and grantees” accused of violating government security regulations, “knowingly, willfully, or negligently,” include “reprimand, suspension without pay, removal, termination of classification authority, loss or denial of access to classified information, or other sanctions in accordance with applicable law and agency regulation.” See infra section “Civil Penalties and Other Measures.” Violators may also be referred to the DOJ for potential criminal prosecution. 32 C.F.R. § 2001.48(e). See infra section “Criminal Penalties.” Congressional Research Service 8
The Protection of Classified Information: The Legal Framework
Executive Order 12333, United States Intelligence Activities,75 spells out the responsibilities of
members of the Intelligence Community (IC)76 for the protection of intelligence information,
including intelligence sources and methods. Under Section 1.7 of E.O. 12333, heads of
departments and agencies with organizations in the IC (or the heads of such organizations, if
appropriate) must report possible violations of federal criminal laws to the Attorney General “in a
manner consistent with the protection of intelligence sources and methods.”
In 2019, Congress amended the National Security Act of 194777 to require the heads and
inspectors general (IGs) of IC elements to submit semi-annual reports to the congressional
intelligence committees regarding the opening and completion of investigations of unauthorized
public disclosure of classified information.78 The same provision requires the Assistant Attorney
General for National Security of the DOJ, in consultation with the Director of the Federal Bureau
of Investigation, to provide semi-annual reports to the congressional intelligence committees, the
Committee on the Judiciary of the Senate, and the Committee on the Judiciary of the House of
Representatives a report on the status of each referral made to DOJ by any IC element regarding
an unauthorized disclosure of classified information made during the preceding year or remaining
open as of the reporting date.79
Information Security Oversight Office
ISOO Directive No. 1 (32 C.F.R. Part 2001) provides further direction for agencies with
responsibilities for safeguarding classified information. Section 2001.41 states:
Authorized persons who have access to classified information are responsible for: (a)
Protecting it from persons without authorized access to that information, to include
securing it in approved equipment or facilities whenever it is not under the direct control
of an authorized person; (b) Meeting safeguarding requirements prescribed by the agency
head; and (c) Ensuring that classified information is not communicated over unsecured
voice or data circuits, in public conveyances or places, or in any other manner that permits
interception by unauthorized persons.80
75 46 Fed. Reg. 59,941 (1981), as amended by Exec. Order No. 13284, 68 Fed. Reg. 4,077 (2003), Exec. Order No.
13355, 69 Fed. Reg. 53,593 (2004) and Exec. Order No. 13470, 73 Fed. Reg. 45,328 (2008)) (reprinted at 50 U.S.C.
§ 3001 note).
76 The Intelligence Community is defined by 50 U.S.C. § 3003(4) and E.O. 12333 to include the Office of the Director
of National Intelligence (ODNI), the Central Intelligence Agency (CIA), the Bureau of Intelligence and Research of the
Department of State (INR), the National Security Service of the Federal Bureau of Investigation (FBI), the Office of
Intelligence and Analysis of the Department of Homeland Security (DHS), the Office of Intelligence or the Coast
Guard (CG), other DHS elements concerned with the analysis of intelligence information, the Office of Intelligence and
Analysis of the Treasury Department, the Energy Department, the Drug Enforcement Agency (DEA), the Defense
Intelligence Agency (DIA), the National Security Agency (NSA), the National Reconnaissance Office (NRO), the
National Geospatial Intelligence Agency (NGA), Army Intelligence, Air Force Intelligence, Navy Intelligence, and
Marine Corps Intelligence, as well as “[s]uch other elements of any other department or agency as may be designated
by the President, or designated jointly by the Director of National Intelligence and the head of the department or agency
concerned, as an element of the intelligence community.”
77 Act July 26, 1947, ch. 343, 61 Stat. 495 (codified as amended at 50 U.S.C. §§ 3001-3243).
78 National Defense Authorization Act for Fiscal Year 2020, Pub. L. No. 116-92, § 6718, 113 Stat. 1198, 2228 (2019)
(codified at 50 U.S.C. § 3235). “Unauthorized public disclosure of classified information” is defined as “unauthorized
disclosure of classified information to a journalist or media organization.” 50 U.S.C. § 3235(a)(4).
79 50 U.S.C. § 3235(c). “Unauthorized disclosure of classified information” applies to disclosures made to any
recipient. Id. § 3235(a)(3).
80 32 C.F.R. § 2001.41.
Congressional Research Service 9The Protection of Classified Information: The Legal Framework Section 2001.45 of ISOO Directive No. 181 requires agency heads to establish a system of appropriate control measures to limit access to classified information to authorized persons. Section 2001.46 requires that classified information is transmitted and received in an authorized manner that facilitates detection of tampering and precludes inadvertent access.82 Persons who transmit classified information are responsible for ensuring that the intended recipients are authorized to receive classified information and have the capacity to store classified information appropriately.83 Documents classified “Top Secret” that are physically transmitted outside secure facilities must be properly marked and wrapped in two layers to conceal the contents, and must remain under the constant and continuous protection of an authorized courier.84 In addition to the methods prescribed for the outside transmittal of Top Secret documents, documents classified at Secret or Confidential levels may be mailed in accordance with the prescribed procedures.85 Agency heads are required to establish procedures for receiving classified information in a manner that precludes unauthorized access, provides for detection of tampering and confirmation of contents, and ensures the timely acknowledgment of the receipt (in the case of Top Secret and Secret information).86 Section 2001.48 prescribes measures to be taken in the event of loss, possible compromise, or unauthorized disclosure. It states: “Any person who has knowledge that classified information has been or may have been lost, possibly compromised or disclosed to an unauthorized person(s) shall immediately report the circumstances to an official designated for this purpose.”87 Agency heads are required to establish appropriate procedures to conduct an inquiry or investigation into the loss, possible compromise or unauthorized disclosure of classified information, in order to implement “appropriate corrective actions” and to “ascertain the degree of damage to national security.”88 The department or agency in which the compromise occurred must also advise any other government agency or foreign government agency whose interests are involved of the circumstances and findings that affect their information or interests.89 Agency heads are to establish procedures to ensure coordination with legal counsel in any case where a formal disciplinary action beyond a reprimand is contemplated against a person believed responsible for the unauthorized disclosure of classified information.90 Whenever a criminal violation appears to have occurred and a criminal prosecution is contemplated, agency heads are to ensure coordination with the DOJ and the legal counsel of the agency where the individual believed to be responsible is assigned or employed.91 ISOO must be notified in case of a violation that (1) is reported to congressional oversight committees; (2) may attract significant public attention; (3) involves large amounts of classified information; or (4) reveals a potential systemic weakness in security practices.92 81 32 C.F.R. § 2001.45. 82 32 C.F.R. § 2001.46(a). 83 Id. 84 32 C.F.R. § 2001.46(b)(1). 85 32 C.F.R. § 2001.46(c). 86 32 C.F.R. § 2001.46(f). 87 32 C.F.R. § 2001.48(a). 88 32 C.F.R. § 2001.48(c). 89 32 C.F.R. § 2001.48(b). 90 32 C.F.R. § 2001.48(e). 91 Id. 92 32 C.F.R. § 2001.48(d). Congressional Research Service 10
The Protection of Classified Information: The Legal Framework Intelligence Community The most recent intelligence community directives related to the safeguarding of classified information appear to be Intelligence Community Directive (ICD) 700, Protection of National Intelligence, effective June 7, 2012;93 ICD 701, Security Policy Directive for Unauthorized Disclosures of Classified Information, effective December 22, 2017;94 and ICD 703, Protection of Classified National Intelligence, Including Sensitive Compartmented Information, effective June 21, 2013.95 Damage assessments in the event of an unauthorized disclosure or compromise of classified national intelligence are governed by ICD 732, effective June 27, 2014.96 ICD 700 mandates an integration of counterintelligence and security functions for the purpose of protecting national intelligence and sensitive information and, among other things, to strengthen “deterrence, detection, and mitigation of insider threats, defined as personnel who use their authorized access to do harm to the security of the US through espionage, terrorism, unauthorized disclosure of information, or through the loss or degradation of resources or capabilities.”97 Under ICD 701, in the event of a possible unauthorized disclosure,98 the head of the originating IC element is to conduct an internal investigation to determine if the filing of a Crimes Report with DOJ is warranted.99 If the investigation determines that a confirmed unauthorized disclosure is likely to cause damage to the national security, the head of the originating IC element is to report the incident to the DOJ with notification to the element’s inspector general (IG), the Intelligence Community Inspector General (ICIG), and the Director of the National Counterintelligence and Security Center.100 If the DOJ declines prosecution, the ICIG may conduct an independent administrative investigation in coordination with the relevant IC element’s IG.101 Significant unauthorized disclosures that may cause “substantial risk to U.S. national security interests” are to be reported to the congressional intelligence committees.102 The DNI may prohibit the ICIG from conducting any investigation if she determines such a prohibition would be necessary to protect vital national security interests, but has to report to the congressional intelligence committees any exercise of this authority.103 Department of Defense Department of Defense Directive 5210.50, “Management of Serious Security Incidents Involving Classified Information” (October 27, 2014),104 prescribes policy and responsibilities for handling 93 Available at https://www.dni.gov/files/documents/ICD/ICD_700.pdf. 94 Available at https://www.dni.gov/files/documents/ICD/10-3-17_Atch1_ICD-701-Unauthorized-Disclosures_17- 00047_U_SIGNED.pdf. 95 Available at https://www.dni.gov/files/documents/ICD/ICD%20703.pdf. 96 Available at https://www.dni.gov/files/documents/ICD/ICD%20732.pdf. 97 ICD 700 § D.4.c. 98 An “unauthorized disclosure” is a “communication, confirmation, acknowledgement, or physical transfer of classified information, including the facilitation of, or the actual giving, passing, selling, or publishing of, or in any way making such information available to an unauthorized recipient.” ICD 701 § D.1. 99 Id. § E.3. 100 Id. § D.3. 101 Id. § D.4. 102 Id. § D.6. 103 Id. § D.7 (citing 50 U.S.C. § 3033(f)). 104 Available at https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodd/521050p.pdf. Congressional Research Service 11
The Protection of Classified Information: The Legal Framework
unauthorized disclosures of classified information to the public and other serious security
incidents. More detailed procedures governing specific types of information possibly
compromised appear in DOD Manual 5200.01, Volume 3, Enclosure 6, “Security Incidents
Involving Classified Information,” February 24, 2012.105 In the event of a known or suspected
disclosure of classified information, the heads of DOD components must take prompt action to
decide the nature and circumstances of the disclosure, determine the extent of damage to national
security, and take appropriate corrective action.106 If the inquiry or investigation turns up
information suggestive of a criminal or counterintelligence nature, component heads are to cease
investigation pending coordination with the relevant Deputy Chief Information Officer (DCIO) or
Defense Counter-Intelligence (CI) component.107
Security inquiries are to be initiated and completed within 10 duty days unless an extension is
required.108 The inquiry is aimed at discovering:
(a) When, where, and how did the incident occur? What persons, situations, or conditions
caused or contributed to the incident?
(b) Was classified information compromised?
(c) If a compromise occurred, what specific classified information and/or material was
involved? What is the classification level of the information disclosed?
(d) If classified material is alleged to have been lost, what steps were taken to locate the
material?
(e) Was the information properly classified?
(f) Was the information officially released?
(g) In cases of compromise involving the public media:
1. In what specific media article, program, book, Internet posting or other item did the
classified information appear?
2. To what extent was the compromised information disseminated or circulated?
3. Would further inquiry increase the damage caused by the compromise?
(h) Are there any leads to be investigated that might lead to identifying the person(s)
responsible for the compromise?
(i) If there was no compromise, and if the incident was unintentional or inadvertent, was
there a specific failure to comply with established security practices and procedures that
could lead to compromise if left uncorrected and/or is there a weakness or vulnerability in
established security practices and procedures that could result in a compromise if left
uncorrected? What corrective action is required? 109
Section 7(f) lists factors for determining whether to initiate an additional investigation by a DCIO
or the DOJ in the event classified information appears in the public media:
The accuracy of the information disclosed.
105 DOD Manual 5200.01, Volume 3, DoD Information Security Program: Protection of Classified Information (2012),
https://www.dodcui.mil/Portals/109/Documents/Policy%20Docs/
DoDM%205200.01,%20Vol%203%20DoD%20INFOSEC%20Progam%20—%20Prot%20of%20Class%20Info.pdf.
106 Id. Encl. 6, § 6(a).
107 Id. Encl. 6 § 6(b).
108 Id. Encl. 6 §6 (d)(2).
109 Id. Encl. 6 § 6(d)(4).
Congressional Research Service 12The Protection of Classified Information: The Legal Framework
The damage to national security caused by the disclosure and whether there were
compromises regarding sensitive aspects of current classified projects, intelligence
sources, or intelligence methods.
The extent to which the disclosed information was circulated, both within and outside the
Department of Defense, and the number of persons known to have access to it.
The degree to which an investigation shall increase the damage caused by the disclosure.
The existence of any investigative leads.
The reasonable expectation of repeated disclosures.110
If classified DOD information appears in a newspaper or other media, the head of the appropriate
DOD component is responsible for the preparation of a “DOJ Media Leak Questionnaire” to
submit to the Under Secretary of Defense for Intelligence, who prepares a letter for the Chief,
Internal Security Section of the Criminal Division at the DOJ.111 The following eleven
questions112 are to be promptly and fully addressed:
Date and identity of the media source (article, blog, television, or other oral
presentation) containing classified information.
Specific statement(s) that are classified, and whether the information is properly
classified.
Whether disclosed information is accurate.
Whether the information came from a specific document, and if so, the
originating office and person responsible for its security.
Extent of official circulation of the information.
Whether information has been the subject of prior official release.
Whether pre-publication clearance or release was sought.
Whether sufficient information or background data has been published officially
or in the press to make educated speculation on the matter possible.
Whether information is to be made available for use in a criminal prosecution
and the person competent to testify on its classification.
Whether information has been considered for declassification.
The effect the disclosure of the classified data might have on the national
defense.113
110 Id. Encl. 6 § 7(f).
111 Id. Encl. 6 § 7(g).
112 The questions apparently originated as part of a Memorandum of Understanding concluded between the DOJ and
elements of the Intelligence Community. See U.S. Congress, Senate Select Committee on Intelligence, Concerning
Unauthorized Disclosure of Classified Information, 106th Cong., 2nd sess., June 14, 2000 (Statement of Attorney
General Janet Reno).
113 DOD Manual 5200.01, Volume 3, Enclosure 6, Appendix 2, “DOJ Media Leaks Questionnaire,” February 24, 2012.
Congressional Research Service 13The Protection of Classified Information: The Legal Framework Department of State Information security at the State Department114 is governed by 12 FAM 500 and 600.115 The Bureau of Administration is responsible for implementing E.O. 13526 as it applies to the classification and declassification of material, the marking of classified material, and relevant training and guidance.116 The Bureau of Diplomatic Security (DS) is responsible for protecting classified information and special access programs.117 Senior agency officials have the primary responsibility for overseeing their respective agency’s information security program, while supervisors are charged with safeguarding classified information within their organizational units.118 Individual employees having access to classified material are responsible for maintaining its security.119 Security incidents are to be reported through the appropriate security officer to DS.120 The employee suspected of having caused the incident is given an opportunity to provide a statement of defense or mitigating circumstances, after which the incident is referred to his or her supervisor and to DS.121 DS is responsible for evaluating security incidents and performing final adjudication of them and initiation of any further action deemed necessary.122 Investigations of loss, unauthorized disclosure, or serious compromise of classified information are covered in 12 FAM 228.4 and are the responsibility of the Professional Responsibility Division (DS/ICI/PR) of the Office of Investigations and Counterintelligence.123 In the event of a “media leak” of classified information, the originating agency is to undertake an initial investigation to determine if any other agency had access to the information, and if necessary request that such receiving agency conduct an appropriate investigation into the unauthorized disclosure.124 The manual notes that DOJ may decide to prosecute those who disclose classified information without authority, but does not provide a list of reporting criteria.125 Penalties for Unauthorized Disclosure In addition to administrative penalties agencies may employ to enforce information security, there are several statutory provisions that address the protection of classified information as such, but 114 U.S. Department of State Foreign Affairs Manual Volume 12—Diplomatic Security, Part 500, Information Security and Part 600, Information Security Technology, available at https://fam.state.gov/Volumes/Details/12FAM. 12.FAM 500 applies to all national security and sensitive information that is “owned by, originated by, produced by or for, or under the control of Foreign Affairs Agencies” at all State Department-controlled locations. 12 FAM 511.1. Foreign Affairs Agencies include the Department of State, United States Agency for International Development, United States International Development Finance Corporation, Trade and Development Program, and all other executive branch personnel located under the jurisdiction of a chief of mission. Id. 115 12 FAM 500 and 600. 116 Id. at 512.1-1. 117 Id. 118 Id. at 512.1. 119 Id. at 512.1-3. 120 Id. at 554. 121 Id. at 555(c)(2), (d)(2). 122 12 FAM 556. 123 Id. at 226.7-2(c). 124 Id. at 226.7-4. 125 See id. Congressional Research Service 14
You can also read
